Bugtraq mailing list archives
Re: Default configuration in WatchGuard Firewall
From: Ryan.Russell () SYBASE COM (Ryan Russell)
Date: Sat, 4 Sep 1999 10:42:53 -0700
It's always a good idea to disable pings from the outside to your internal network. I don't mean to discourage anyone from doing so, but...
# route add -net 192.168.0.0 netmask 255.255.255.0 gw 100.100.100.100
This only works if you are on the 100.100.100 network, i.e. one hop way. Won't work all the way across the Internet. Have you tried it with source-routing?
Solution is easy ... do not let pings to internal network.
Please do. Does Watchguard give you some flexibility about what ICMP to let in? I.e. can you shut off the pings in, but still leave on ICMP unreachables, in order to not break path MTU discovery? Does it do the stateful thing and let ICMP echo replies in only if a request was sent, etc? ICMP is also one of the many interesting things that Firewall-1 leaves on by default. Newbie FW-1 admins usually don't know to go through the properties screen and disable all the things on by default. Ryan
Current thread:
- Default configuration in WatchGuard Firewall Alfonso Lazaro (Sep 02)
- Re: Default configuration in WatchGuard Firewall Chris Brenton (Sep 04)
- Re: Default configuration in WatchGuard Firewall Pavel Kankovsky (Sep 05)
- <Possible follow-ups>
- Re: Default configuration in WatchGuard Firewall Ryan Russell (Sep 04)
- Disabling everything Dr. Joel M. Hoffman (Sep 09)
- Re: Default configuration in WatchGuard Firewall Steve Fallin (Sep 07)
- Re: Default configuration in WatchGuard Firewall Steve Fallin (Sep 13)
- Re: Default configuration in WatchGuard Firewall Matt Bruce (Sep 14)